Almost 15 years after Amazon launched AWS, public cloud platforms have become extraordinarily sophisticated and feature-rich, as well as wildly popular, creating a world of security and compliance challenges that gets more complex by the day, said Badri Raghunathan, Qualys product management director, on Thursday during his QSC USA 2020 presentation “Securing Cloud and Container Workloads: A View From the Trenches.”
As the foundation for the modern IT innovations that propel digital transformation, public cloud platforms have become fundamental for business agility and competitiveness, and thus need comprehensive security with continuous prevention, detection and response. However, much work still remains to be done to make that a widespread reality among enterprises.
“From a security standpoint, are we there yet? Sadly, that’s not the case,” said Raghunathan.
At the heart of the challenges is the concept of shared responsibility, in which cloud service providers and their customers split security and compliance tasks. IT teams still grapple with this along four key areas. For starters, there’s a skills gap and talent scarcity that makes it hard to find the right application developers, DevOps engineers and security engineers, and to get them working collaboratively.
Then there’s infrastructure as code, which promises an immutable, flexible infrastructure, but in reality is “fairly brittle,” leading to drift, and “fairly tedious” to put in place, Raghunathan said. Complicating matters are the siloed, point security tools that are difficult to manage and to integrate, and that generate fragmented data, limiting visibility and slowing down response.
The Right Architecture
Despite the challenges, there is a way to properly secure your public cloud instances and container deployments with an architecture built on these pillars.
- Shift left means having a set of natively integrated tools whose security and compliance checks are automated and embedded end-to-end into your cloud processes and infrastructure, starting with the design of software builds
- Real-time inventory means having an always updated, comprehensive inventory of all your cloud and container assets for full visibility into your environment
- Quick, precise and continuous prevention, remediation, detection and response is needed to address security and compliance issues
- Built-in security means native integration of your security and compliance tools with the public cloud platforms you’re using
These are the principles Qualys has followed when developing its cloud and container solutions, including Cloud Inventory, Cloud Security Assessment and Container Security. “At Qualys, we firmly believe this is the security architecture that’s needed to address the challenges in the public cloud era,” he said.
Dispatches from the Front Lines
Raghunathan illustrated Qualys’ cloud and container security capabilities with multiple examples of customers using Qualys technology to protect critical and complex public cloud deployments, including these ones.
A North American conglomerate already using Qualys to scan their production environment hosts extended its use of Qualys solutions to “shift left” and scan the entire infrastructure of its CI/CD pipeline. By automating its attack-surface management program, the organization reduced the number of tasks performed at the production stage.
A large bank deploying consumer-facing containerized applications running in AWS Fargate, the hostless container-as-a-service environment, tapped Qualys to implement a vulnerability management program.
A global marketing SaaS provider leveraged Qualys solutions to put in place a compliance program for their entire, multi-cloud infrastructure, and gained the visibility and control required to comply with their internal policies and external mandates and regulations.
A Sneak Peek at What’s Coming
Raghunathan also rolled back the curtain to give QSC attendees a peek at some upcoming enhancements.
For example, Qualys Container Security will get configuration assessment capabilities to give organizations visibility into their container configuration posture. “This is specifically going to entail assessing container images for configuration risks across the pipeline — build, ship and running containers,” he said. This feature will be available next month.
Meanwhile, select customers are testing a new Qualys CloudView feature designed to manage security hygiene at scale with automated remediation. “If you have security findings dealing with misconfigurations, there’s a new class of controls where you can remediate those findings based on controls which are remediable,” Raghunathan said.
In addition, expect “a lot more detection and response capabilities” for both cloud workloads and running containers, as well as more integration between the solutions. “We’ll be bringing these different modules together, in terms of the workflows, where you can view container inventory inside CloudView,” he said.
As the container attack surface continues to evolve, he said, Qualys will help customers keep up with those changes by providing capabilities to scan more advanced containers, like distroless containers.
View this session and all other sessions at QSC USA 2020.